{"id":50522444,"url":"https://github.com/tocconsulting/lambda-security-scanner","last_synced_at":"2026-06-06T08:00:51.020Z","repository":{"id":361503031,"uuid":"1254701102","full_name":"TocConsulting/lambda-security-scanner","owner":"TocConsulting","description":"AWS Lambda security scanner: 19 checks across 5 categories, secret detection in env vars, and compliance mapping for 10 frameworks (CIS, PCI DSS, HIPAA, SOC 2, ISO 27001, NIST). Multi-threaded scans with interactive HTML dashboards.","archived":false,"fork":false,"pushed_at":"2026-05-31T00:09:12.000Z","size":796,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-03T05:33:59.668Z","etag":null,"topics":["aws","aws-security","cis-benchmark","cloud-security","compliance","cspm","devsecops","hipaa","lambda","nist","pci-dss","python","security","security-scanner","serverless","soc2"],"latest_commit_sha":null,"homepage":"https://pypi.org/project/lambda-security-scanner/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TocConsulting.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"security-checks.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-30T22:41:57.000Z","updated_at":"2026-06-02T21:59:21.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/TocConsulting/lambda-security-scanner","commit_stats":null,"previous_names":["tocconsulting/lambda-security-scanner"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/TocConsulting/lambda-security-scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TocConsulting%2Flambda-security-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TocConsulting%2Flambda-security-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TocConsulting%2Flambda-security-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TocConsulting%2Flambda-security-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TocConsulting","download_url":"https://codeload.github.com/TocConsulting/lambda-security-scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TocConsulting%2Flambda-security-scanner/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33891733,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-04T02:00:06.755Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-security","cis-benchmark","cloud-security","compliance","cspm","devsecops","hipaa","lambda","nist","pci-dss","python","security","security-scanner","serverless","soc2"],"created_at":"2026-06-03T05:30:41.862Z","updated_at":"2026-06-04T06:00:29.029Z","avatar_url":"https://github.com/TocConsulting.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/TocConsulting/lambda-security-scanner/main/assets/lambda-security-scanner-logo.png\" alt=\"Lambda Security Scanner\" style=\"max-width: 100%; height: auto;\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://pypi.org/project/lambda-security-scanner/\"\u003e\u003cimg src=\"https://img.shields.io/pypi/v/lambda-security-scanner.svg\" alt=\"PyPI version\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pepy.tech/project/lambda-security-scanner\"\u003e\u003cimg src=\"https://static.pepy.tech/badge/lambda-security-scanner\" alt=\"Downloads\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://hub.docker.com/r/tarekcheikh/lambda-security-scanner\"\u003e\u003cimg src=\"https://img.shields.io/docker/v/tarekcheikh/lambda-security-scanner?label=docker\u0026logo=docker\" alt=\"Docker\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://hub.docker.com/r/tarekcheikh/lambda-security-scanner\"\u003e\u003cimg src=\"https://img.shields.io/docker/pulls/tarekcheikh/lambda-security-scanner\" alt=\"Docker Pulls\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-brightgreen.svg\" alt=\"License: MIT\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.python.org/downloads/\"\u003e\u003cimg src=\"https://img.shields.io/badge/python-3.10+-blue.svg\" alt=\"Python\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://aws.amazon.com/lambda/\"\u003e\u003cimg src=\"https://img.shields.io/badge/AWS-Lambda-orange.svg\" alt=\"AWS\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nA comprehensive AWS Lambda security scanner with 19 security checks across 5 categories and compliance mapping for 10 frameworks (81 controls). Features multi-threaded scanning, secret detection in environment variables, and interactive HTML dashboards.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/TocConsulting/lambda-security-scanner/main/assets/demo.gif\" alt=\"Lambda Security Scanner demo: secrets, public URLs, IAM, and multi-framework compliance\" width=\"100%\"\u003e\n\u003c/p\u003e\n\n## Key Features\n\n### **Comprehensive Security Analysis**\n- **Function Configuration**: Deprecated runtime detection, timeout tuning, environment variable secret scanning, ephemeral storage, external layers, X-Ray tracing, dead letter queues\n- **Access Control**: Resource policy public access, function URL authentication, CORS wildcard origins, overly permissive execution roles, shared role detection\n- **Network Security**: VPC configuration, multi-AZ deployment, unrestricted security group egress\n- **Logging \u0026 Monitoring**: CloudWatch log group validation, log retention policies, reserved concurrency\n- **Code \u0026 Supply Chain**: Code signing configuration, event source mapping failure destinations\n\n### **Compliance Frameworks**\n- **AWS Foundational Security Best Practices (FSBP)**: 5 Lambda-specific controls\n- **CIS AWS Compute Services Benchmark**: 8 controls (scanner-defined IDs mapped to the benchmark's Lambda guidance; see note below)\n- **PCI DSS v4.0.1**: 8 controls\n- **HIPAA Security Rule**: 9 controls\n- **SOC 2**: 11 controls\n- **ISO 27001:2022**: 11 controls\n- **ISO 27017:2015**: 4 cloud security controls\n- **ISO 27018:2019**: 5 PII protection controls\n- **GDPR (EU) 2016/679**: 8 controls\n- **NIST SP 800-53 Rev5**: 12 controls\n\n### **Performance \u0026 Usability**\n- **Multi-threaded Scanning**: Parallel function analysis with ThreadPoolExecutor\n- **Rich Console Output**: Progress bars, colored output, and formatted tables\n- **Multiple Report Formats**: JSON, CSV, HTML, and compliance-specific reports\n- **Beautiful HTML Reports**: Interactive dashboard with Chart.js visualizations\n- **Flexible Targeting**: Scan all functions, specific names, or exclude by name\n\n### **Production Ready**\n- **Modular Architecture**: Facade pattern with 5 dedicated checker modules\n- **Thread-safe Sessions**: Thread-local boto3 session management\n- **Graceful Degradation**: AccessDenied errors don't crash scans\n- **Mutual Exclusion Scoring**: Overlapping check variants use highest deduction only\n\n## Quick Start\n\n### Installation\n\n```bash\n# Install from source\ngit clone https://github.com/TocConsulting/lambda-security-scanner.git\ncd lambda-security-scanner\npip install .\n```\n\n### Docker Installation\n\n```bash\n# Build from source\ndocker build -t lambda-security-scanner .\n```\n\n### Basic Usage\n\n```bash\n# Scan all Lambda functions\nlambda-security-scanner security\n\n# Scan with specific AWS profile\nlambda-security-scanner security --profile production\n\n# Scan specific functions only\nlambda-security-scanner security -n my-function -n other-function\n\n# Exclude specific functions\nlambda-security-scanner security --exclude-function test-func\n\n# Compliance report only\nlambda-security-scanner security --compliance-only\n\n# JSON report only, quiet mode (for CI/CD)\nlambda-security-scanner security -f json -q\n```\n\n## Commands\n\n### Security Command\n\nScan Lambda functions for security vulnerabilities and compliance issues.\n\n```bash\nlambda-security-scanner security [OPTIONS]\n\nOptions:\n  -n, --function-name TEXT       Specific function name(s) to scan (multiple)\n  --exclude-function TEXT        Function name(s) to exclude\n  --compliance-only              Generate compliance report only\n  -r, --region TEXT              AWS region (default: us-east-1)\n  -p, --profile TEXT             AWS profile name\n  -o, --output-dir TEXT          Output directory (default: ./output)\n  -f, --output-format TEXT       Report format: json, csv, html, all (default: all)\n  -w, --max-workers INTEGER      Worker threads (default: 5)\n  -q, --quiet                    Suppress console output except errors\n  -d, --debug                    Enable debug logging\n  -h, --help                     Show help\n\n# Top-level options (before the 'security' command):\n#   lambda-security-scanner --version\n#   lambda-security-scanner --help\n```\n\n**Examples:**\n```bash\n# Scan all functions with default settings\nlambda-security-scanner security\n\n# Scan specific functions in a different region\nlambda-security-scanner security -n my-api -n my-worker -r eu-west-1\n\n# Fast compliance-only scan with HTML output\nlambda-security-scanner security --compliance-only -f html -p production\n\n# High-performance scan with more threads\nlambda-security-scanner security -w 20 -r eu-west-1\n\n# JSON report only, quiet mode (for CI/CD)\nlambda-security-scanner security -f json -q\n```\n\n## Security Checks\n\n### 19 Checks Across 5 Categories\n\n| ID  | Check                                    | Severity          | Category              |\n|-----|------------------------------------------|-------------------|-----------------------|\n| A.1 | Deprecated/EOL runtime                   | HIGH/CRITICAL/LOW | Function Config       |\n| A.2 | Maximum timeout (900s)                   | LOW               | Function Config       |\n| A.3 | Environment variable secrets             | CRITICAL/HIGH     | Function Config       |\n| A.4 | Large ephemeral storage                  | LOW               | Function Config       |\n| A.5 | External Lambda layers                   | MEDIUM            | Function Config       |\n| A.6 | X-Ray tracing disabled                   | LOW               | Function Config       |\n| A.7 | No dead letter queue                     | LOW               | Function Config       |\n| B.1 | Resource policy public access            | CRITICAL          | Access Control        |\n| B.2 | Function URL no authentication           | CRITICAL          | Access Control        |\n| B.3 | Function URL CORS allows all origins     | HIGH              | Access Control        |\n| B.4 | Overly permissive execution role         | CRITICAL/HIGH     | Access Control        |\n| B.5 | Shared execution role                    | HIGH              | Access Control        |\n| C.1 | No VPC configuration                     | LOW               | Network Security      |\n| C.2 | VPC single AZ                            | MEDIUM            | Network Security      |\n| C.3 | Unrestricted SG egress                   | MEDIUM            | Network Security      |\n| D.1 | Log group missing/no retention           | MEDIUM            | Logging \u0026 Monitoring  |\n| D.2 | No reserved concurrency                  | LOW               | Logging \u0026 Monitoring  |\n| E.1 | No code signing                          | MEDIUM/LOW        | Code \u0026 Supply Chain   |\n| E.2 | ESM without failure destination          | MEDIUM            | Code \u0026 Supply Chain   |\n\n### Secret Detection in Environment Variables (A.3)\n\nThe scanner decodes and scans Lambda environment variables for exposed secrets:\n\n| Pattern | Examples |\n|---------|----------|\n| AWS Access Keys | `AKIA...`, `ASIA...` |\n| AWS Secret Keys | `aws_secret_access_key=...` |\n| Passwords | `PASSWORD=`, `DB_PASSWORD=`, `SECRET_KEY=` |\n| Private Keys | `-----BEGIN PRIVATE KEY-----` |\n| GitHub Tokens | `ghp_...`, `gho_...`, `ghs_...` |\n| API Keys | `api_key=`, `api_token=`, `AUTH_TOKEN=` |\n| Connection Strings | `postgres://user:pass@host/db` |\n| SaaS Tokens | Slack, Stripe (`sk_live_`), Twilio, SendGrid |\n\n**Safe references are not flagged.** A secret-named variable whose value is a managed-secret reference (a Secrets Manager / SSM / KMS ARN, an SSM parameter path like `/app/db/pwd`, or a CloudFormation `{{resolve:...}}` dynamic reference) is the AWS-recommended pattern and is treated as clean, not as a leaked secret. Trivial config values (booleans, ports, environment names) are likewise ignored.\n\n## Compliance Frameworks\n\n| Framework | Controls | Focus |\n|-----------|----------|-------|\n| AWS-FSBP | 5 | Lambda-specific Security Hub controls |\n| CIS | 8 | Compute Services Benchmark |\n| PCI DSS v4.0.1 | 8 | Payment card data protection |\n| HIPAA | 9 | Healthcare data security |\n| SOC 2 | 11 | Service organization controls |\n| ISO 27001:2022 | 11 | Information security management |\n| ISO 27017:2015 | 4 | Cloud security controls |\n| ISO 27018:2019 | 5 | PII protection in cloud |\n| GDPR | 8 | EU data protection regulation |\n| NIST 800-53 Rev5 | 12 | Federal security controls |\n\n\u003e **Note on control IDs:** Most frameworks use their official citations (e.g. HIPAA `164.312(a)(1)`, ISO 27001 `A.5.15`, SOC 2 `CC6.1`, NIST `AC-3`). The **CIS** entries map to the real **CIS AWS Compute Services Benchmark** Lambda guidance, but the `CIS-Lambda.N` identifiers are this scanner's own labels, not the benchmark's official recommendation numbers (which are section `5.x`). They are an alignment aid, not verbatim CIS control numbers.\n\n## Docker Usage\n\n### Basic Docker Commands\n\n```bash\n# Show help\ndocker run --rm lambda-security-scanner --help\n\n# Show security command help\ndocker run --rm lambda-security-scanner security --help\n```\n\n### Security Scanning with Docker\n\n```bash\n# Scan using mounted AWS credentials\ndocker run --rm \\\n  -v ~/.aws:/root/.aws:ro \\\n  -v $(pwd)/output:/app/output \\\n  lambda-security-scanner security\n\n# Scan with specific AWS profile\ndocker run --rm \\\n  -v ~/.aws:/root/.aws:ro \\\n  -v $(pwd)/output:/app/output \\\n  lambda-security-scanner security --profile production\n\n# Scan specific functions\ndocker run --rm \\\n  -v ~/.aws:/root/.aws:ro \\\n  -v $(pwd)/output:/app/output \\\n  lambda-security-scanner security -n my-function\n```\n\n### Using Environment Variables for AWS Credentials\n\n```bash\ndocker run --rm \\\n  -e AWS_ACCESS_KEY_ID \\\n  -e AWS_SECRET_ACCESS_KEY \\\n  -e AWS_DEFAULT_REGION=us-east-1 \\\n  -v $(pwd)/output:/app/output \\\n  lambda-security-scanner security\n\n# With session token (for temporary credentials/assumed roles)\ndocker run --rm \\\n  -e AWS_ACCESS_KEY_ID \\\n  -e AWS_SECRET_ACCESS_KEY \\\n  -e AWS_SESSION_TOKEN \\\n  -e AWS_DEFAULT_REGION=us-east-1 \\\n  -v $(pwd)/output:/app/output \\\n  lambda-security-scanner security\n```\n\n### Docker Volume Mounts\n\n| Mount | Purpose |\n|-------|---------|\n| `-v ~/.aws:/root/.aws:ro` | Mount AWS credentials (read-only) |\n| `-v $(pwd)/output:/app/output` | Save reports to local directory |\n\n## Prerequisites\n\n### Python Requirements\n- Python 3.10 or higher\n- Required packages (installed automatically):\n  - `boto3\u003e=1.26.0`\n  - `botocore\u003e=1.29.0`\n  - `rich\u003e=13.0.0`\n  - `click\u003e=8.1.0`\n  - `jinja2\u003e=3.1.0`\n\n### AWS Requirements\n- AWS credentials configured (via AWS CLI, environment variables, or IAM roles)\n- Required permissions:\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [{\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"lambda:ListFunctions\",\n            \"lambda:GetFunctionConfiguration\",\n            \"lambda:GetPolicy\",\n            \"lambda:GetFunctionUrlConfig\",\n            \"lambda:GetFunctionCodeSigningConfig\",\n            \"lambda:GetCodeSigningConfig\",\n            \"lambda:GetFunctionConcurrency\",\n            \"lambda:ListEventSourceMappings\",\n            \"iam:ListAttachedRolePolicies\",\n            \"iam:GetPolicy\",\n            \"iam:GetPolicyVersion\",\n            \"iam:ListRolePolicies\",\n            \"iam:GetRolePolicy\",\n            \"ec2:DescribeSubnets\",\n            \"ec2:DescribeSecurityGroups\",\n            \"logs:DescribeLogGroups\",\n            \"sts:GetCallerIdentity\"\n        ],\n        \"Resource\": \"*\"\n    }]\n}\n```\n\n## Security Scoring\n\nEach function receives a security score (0-100) starting at **100 points**:\n\n| Check | Condition | Deduction | Severity |\n|-------|-----------|-----------|----------|\n| B.1 | Resource policy allows public access | -25 | CRITICAL |\n| B.2 | Function URL AuthType NONE | -25 | CRITICAL |\n| A.3 | Env var secrets, no KMS (mutually excl.) | -20 | CRITICAL |\n| B.4 | Admin-equivalent access (Administrator/PowerUser/IAMFull or `*`) | -20 | CRITICAL |\n| A.1 | Runtime blocked | -15 | HIGH |\n| A.1 | Runtime deprecated | -10 | HIGH |\n| B.3 | CORS allows all origins | -10 | HIGH |\n| B.4 | Service-level wildcard actions (e.g. `s3:*`) | -10 | HIGH |\n| B.4 | Privilege escalation permissions | -10 | HIGH |\n| B.5 | Shared execution role | -10 | HIGH |\n| A.3 | Env var secrets, has KMS (mutually excl.) | -10 | HIGH |\n| C.2 | VPC single AZ | -5 | MEDIUM |\n| C.3 | Unrestricted SG egress | -5 | MEDIUM |\n| D.1 | Log group missing or no retention | -5 | MEDIUM |\n| A.6 | X-Ray tracing disabled | -2 | LOW |\n| A.7 | No dead letter queue | -2 | LOW |\n| D.2 | No reserved concurrency | -2 | LOW |\n| E.1 | No code signing config | -5 | MEDIUM |\n| E.2 | ESM without failure destination | -5 | MEDIUM |\n| A.5 | External Lambda layers | -3 | MEDIUM |\n| C.1 | No VPC configuration | -3 | LOW |\n| A.1 | Runtime near EOL | -3 | LOW |\n| E.1 | Code signing policy Warn (not Enforce) | -3 | LOW |\n| A.2 | Maximum timeout (900s) | -2 | LOW |\n| A.4 | Large ephemeral storage | -2 | LOW |\n\n**Mutual exclusion rules:**\n- A.1: Only the highest-severity runtime deduction applies (blocked \u003e deprecated \u003e near_eol)\n- A.3: Only one of the two variants applies (no KMS \u003e has KMS)\n- E.1: Only one of the two variants applies (no config \u003e Warn policy)\n\n**Formula**: `Score = max(0, 100 - total_deductions)`\n\n### Score Interpretation\n\n| Score Range | Level | Action |\n|-------------|-------|--------|\n| 90-100 | Excellent | Maintain current posture |\n| 70-89 | Good | Address minor gaps |\n| 50-69 | Needs Improvement | Fix medium-priority issues |\n| 0-49 | Poor | Immediate action required |\n\n## Output Files\n\nThe scanner generates reports in the specified output directory:\n\n### JSON Report (`lambda_scan_region_timestamp.json`)\n```json\n{\n  \"summary\": {\n    \"scan_time\": \"2026-03-11T10:30:45\",\n    \"region\": \"us-east-1\",\n    \"account_id\": \"123456789012\",\n    \"total_functions\": 25,\n    \"average_security_score\": 82.3\n  },\n  \"results\": [...]\n}\n```\n\n### CSV Report (`lambda_scan_region_timestamp.csv`)\nSpreadsheet-friendly format with all key metrics and compliance status.\n\n### HTML Report (`lambda_scan_region_timestamp.html`)\nInteractive dashboard with:\n- **Executive Summary**: Key metrics and risk indicators\n- **Score Distribution**: Bar chart of function security scores\n- **Compliance Overview**: Bar chart across all 10 frameworks\n- **Severity Breakdown**: Doughnut chart of findings by severity\n- **Function Details**: Sortable table with score bars\n- **Critical Findings**: Table of high/critical severity issues\n\n### Compliance Report (`lambda_compliance_region_timestamp.json`)\nPer-function compliance evaluation across all 10 frameworks with passed/failed control details.\n\n## Modular Architecture\n\n```\nlambda_security_scanner/\n├── scanner.py                  # Main scanner orchestration (facade pattern)\n├── cli.py                      # Click CLI interface\n├── compliance.py               # 81 controls across 10 frameworks\n├── html_reporter.py            # Jinja2 HTML report generation\n├── utils.py                    # Logging, scoring, formatting\n├── checks/                     # Security check modules\n│   ├── base.py                 # BaseChecker (session factory, error handling)\n│   ├── function_config.py      # A.1-A.7: Runtime, secrets, layers, tracing\n│   ├── access_control.py       # B.1-B.5: Policies, URLs, roles\n│   ├── network_security.py     # C.1-C.3: VPC, AZ, security groups\n│   ├── logging_monitoring.py   # D.1-D.2: Log groups, concurrency\n│   └── code_security.py        # E.1-E.2: Code signing, ESM\n└── templates/\n    └── report.html             # Interactive HTML dashboard\n```\n\n## Development\n\n### Setting Up Development Environment\n\n```bash\ngit clone https://github.com/TocConsulting/lambda-security-scanner.git\ncd lambda-security-scanner\n\npython -m venv venv\nsource venv/bin/activate\n\npip install -e \".[dev]\"\n```\n\n## Testing\n\n```bash\n# Install development dependencies\npip install -e \".[dev]\"\n\n# Run all tests\npython -m pytest tests/ -v\n\n# Run specific test file\npython -m pytest tests/test_compliance.py -v\n\n# Run with coverage\npython -m pytest tests/ --cov=lambda_security_scanner --cov-report=html\n\n# Code formatting\nblack lambda_security_scanner/ tests/\n```\n\n## Support \u0026 Contributing\n\n### Getting Help\n- **Documentation**: Check this README and inline help (`--help`)\n- **Issues**: Report bugs via [GitHub Issues](https://github.com/TocConsulting/lambda-security-scanner/issues)\n\n### Contributing\nWe welcome contributions! Please:\n1. Fork the repository\n2. Create a feature branch\n3. Add tests for new functionality\n4. Submit a pull request\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Acknowledgments\n\n- **AWS Security Best Practices**: Based on official AWS security recommendations\n- **CIS Benchmarks**: Maps findings to the CIS AWS Compute Services Benchmark Lambda guidance (scanner-defined control identifiers)\n- **[ec2-security-scanner](https://github.com/TocConsulting/ec2-security-scanner)**: Architecture and design patterns\n\n---\n\n**Security Notice**: This tool is designed for defensive security purposes only. Always ensure you have proper authorization before scanning AWS resources. The tool requires read-only permissions and does not modify any AWS resources.\n\n**Performance Note**: The scanner uses parallel function analysis with ThreadPoolExecutor to minimize scan time. Use `-w` to adjust parallelism based on your API rate limits.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftocconsulting%2Flambda-security-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftocconsulting%2Flambda-security-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftocconsulting%2Flambda-security-scanner/lists"}